DoS Attack Against Bind

First and foremost, my ISPConfig server was setup exactly as shown in this tutorial: Perfect Server

For the past 36 hours, my ISPConfig server has been up and down like a basketball for no apparent reason. The server never restarted, no services failed, no logs that stood out to me, etc, etc.

After looking at our firewall, I found that there was a continuous 5mbps upload for DNS traffic alone!!

Many hours later, I found out that my DNS server had the "recursion" option enabled which allowed anyone in the world to use my DNS server to lookup any website it pleased rather then only responding to the DNS zones that I personally host.

After I disabled recursion, I found that the "/var/log/messages" log file being inundated with lines that show the following:

I realized very quickly that I was receiving anywhere between 100-750 DNS queries every second!! After much more research, I finally configured the application fail2ban to watch my DNS logs and ban any IP address after 3 failed DNS queries for a period of 5 minutes.

How is how I did it:

Disabling Recursion

First thing I found was that by default, recursion was enable on the bind server. I turned this off by editing the file /etc/named.conf:
Before:

recursion yes;

Click to expand...

After:

recursion no;

Click to expand...

Configuring Fail2Ban
Firstly, make the bind log file

mkdir /var/log/named
chmod a+w /var/log/named

Click to expand...

Next, edit /etc/named.conf and edit the logging options to show the following:

The only other thing to be mindful of is whether or not the network firewall can handle the load. Although this significantly decreased the server load by performing the steps above, the DNS connections still needed to pass through the hardware firewall before the connection was passed onto the ISPConfig server and finally rejected by iptables.